Passwords Again?

Over the years, PSMail has published several articles and much advice on creating strong passwords and on the benefits of

Anonymous hacker search password in binary code from cracked software

supplementing them with our two-factor authentication. So you might be asking, “Why another article on passwords?”

Here’s a good example on why we harp on passwords: A Wired article written by Mat Honan describes how hackers exploited one (of several) inherent weaknesses in password security to gain access to his email accounts. They deleted everything – “eight years worth of email and documents” – and used the email account to take over his Twitter account as well. Honan says, “hackers destroyed my entire digital life in the span of an hour.”

Was it because he used weak passwords like “123456” or “password”? Nope. Honan used alphanumeric passwords, some with symbols thrown in for good measure. Was it because he carelessly left a list of all his account passwords lying around? Or used the same password on all his sites? Or gave someone access to his computer when he wasn’t around? Or was he the victim of a malware attack that stole his password and posted it online?

Nope. Even though all of these are legitimate weaknesses in a password only security system, Honan’s accounts were hacked when someone called Apple and used some details about his life to persuade them to reset his account password. Once they had the new password, they were in. And he was finished.

Passwords are often the only line of defense between you and digital disaster, and that’s why it’s important to give them due attention. By now we all know the advice that’s so frequently repeated:

There’s no doubt that all of these steps are essential and, further, that they go a long way to increasing your security. The problem is that increasingly even these steps are not enough. Hackers and scammers have found ways to get around even complex passwords (like the password reset strategy mentioned above) and if the password is your only line of defense… well, it may not be strong enough to bet the bank on (literally).

So, what’s to be done? Here are two steps that can be taken to further strengthen your defense against attack.

Use multi factor authentication whenever it is available. Multi factor authentication just means a second line of defense beside the password; a second way for a site to validate that you are really you. One of the most common types is a time based token like PSMail’s software token, Google Authenticator. It provides you with a second, random password that is only valid for a short time. This password is sent to your mobile phone and can only be used once. Other advanced multi-factor systems like fingerprint scans, facial recognition, and hardware tokens should be used when available.

Use answers to security questions that are either bogus or difficult to discover. This may seem like an odd one, but often the answers to our security questions are things that a hacker can track down via social media. Things like “City you were born in,” “Name of a pet,” or even “Name of your best friend” may seem like a great second line of defense, but a patient hacker can often track down those answers (for example, how many of these three questions do you think would be accessible via your Facebook account?).

Different websites and organizations, from your bank to your TV service, will have different options for multi factor authentication. As mentioned, PSMail has provided the option for you to use two-factor authentication for your account in the form of a software token on your mobile phone. You can read more about it here.

The crooks will continue to evolve in their attempts to steal information from individuals and businesses and we must evolve too. Part of that evolution means not depending on a password alone for safety.

(“But what if it’s too late? What if hackers have compromised some of my key passwords?” We’ll be talking about having a plan in case of compromise in our next article.)